#!/usr/bin/env python
'''
This is a Proof of Concept for MIR, an automated malware analysis framework
that uses many web-based, and some local, analysis tools to quickly give
you an idea about what the file you gave it does.

MIR-PoC currently posts your malware to:
- VirusTotal,
- Anubis,
- CWSandbox,
- Joebox,
- and ThreatExpert.

--------------

The original authors of this script are:
Dan Guido <dguido@gmail.com>
Alicia Bozyk <alicia.bozyk@gmail.com>

and parts of the code were inspired from the following sources:

VirusTotal submission script - http://jon.oberheide.org/
Jon Oberheide <jon@oberheide.org>

sqlmap - http://sqlmap.sourceforge.net/
Bernardo Damele A. G. <bernardo.damele@gmail.com>

Sandbox submission scripts @ http://www.sudosecure.net/
Jeremy <jeremy@sudosecure.net>

--------------

Parts of this software require the poster module:
http://atlee.ca/software/poster/

'''

CONFIG_FILE = "default.cfg"

import os
import sys

from lib.core.common import move_file, copy_file, check_file, create_directory
from lib.core.metadata import initial_metadata, write_metadata
from lib.core.email import email_configured, smtp_auth

from lib.parse.config import initialize

import lib.av.virustotal as virustotal
import lib.sandbox.anubis as anubis
import lib.sandbox.threatexpert as threatexpert
import lib.sandbox.cwsandbox as cwsandbox
import lib.sandbox.joebox as joebox

def main():
	# Import the config file and the cmdline options
	# into a dictionary called config
	config = initialize(CONFIG_FILE)
	
	# Create a case directory from the ticket number
	config['case_directory'] = create_directory(
						os.path.join(config['root_directory'], str(config['ticket'])))
	
	# Generate and stores hashes and the original filename
	metadata = initial_metadata(config['filepath'])
	
	# Move the file into the case directory
	copy_file(config['filepath'], config['case_directory'])
	# Update the full path to include the case directory
	config['filepath'] = os.path.join(config['case_directory'], metadata['filename'])
	
	print '\n--- Beginning analysis on %s ---' % metadata['filename']
	
	# Search for existing VirusTotal reports
	if not virustotal.search(metadata) and email_configured(config):
		# Submit the file to VirusTotal if none are found
		# Check if the user configured SMTP AUTH
		if smtp_auth(config):
			virustotal.send(config['filepath'], config['from_addr'], config['smtp_host'],
							config['smtp_port'], config['smtp_user'], config['smtp_pass'])
		else:
			virustotal.send(config['filepath'], config['from_addr'], config['smtp_host'],
							config['smtp_port'], None, None)
	
	analyze_executable(config, metadata)
	
	# Write analysis results to disk
	write_metadata(config['case_directory'], metadata)

def analyze_executable(config, metadata):
	# You cannot search previous reports on Anubis
	# Therefore, all we can do is submit a new one
	if anubis.authed(config):
		anubis.submit(config['filepath'], config['from_addr'],
						config['anubis_user'], config['anubis_pass'])
	else:
		anubis.submit(config['filepath'], config['from_addr'], None, None)
	
	# Search for existing ThreatExpert reports
	if not threatexpert.search(metadata):
		threatexpert.submit(config['filepath'], config['from_addr'])
	
	# CWSandbox searches and submits all in one step
	#submission form seems to have changed in the last month
	#cwsandbox.submit(config['filepath'], config['from_addr'], metadata)
	
	# You can't search Joebox
	joebox.submit(config['filepath'], config['from_addr'])
			
if __name__ == '__main__':
	main()